The first vulnerability specifically exists due to insufficient
validation of user-supplied data passed to a memcpy function. The PuTTY
sftp implementation allows attackers to supply arbitrary values for the
stored length of the string in the packet. This may be observed in the
sftp_pkt_getstring() function from sftp.c in PuTTY source code:

Finally, when the memcpy function is called heap corruption will occur
leading to potential code execution.

The second vulnerability specifically exists due to insufficient
validation of user-supplied data passed to a malloc function. This may
be observed in the fxp_readdir_recv() function from PuTTY source code:

This function is called from scp_get_sink_action() in scp.c and
sftp_cmd_ls() in sftp.c and can lead to remote code execution via heap
corruption. Sample debugger output of heap corruption is shown below:

Successful exploitation allows remote attackers to execute arbitrary
code under the privileges of the user running PuTTY. The client must be
directed to connect to a malicious server in order to trigger the
vulnerability. It should be noted that this vulnerability may affect
applications which use PuTTY source code or binaries as a SSH protocol
backend. An example of one such product would be WinSCP3, a popular
graphical sftp/scp application for Windows.

IV. DETECTION

iDEFENSE has confirmed that PuTTY 0.56 is vulnerable. It is suspected
that earlier versions are also vulnerable.

The following vendors distribute susceptible PuTTY packages within
their respective operating system distributions:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0467 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Remote exploitation of a stack-based buffer overflow in various Unix /
Linux vendors implementations of cURL could allow for arbitrary code
execution on the targeted host.

An exploitable stack-based buffer overflow condition exists when using
NT Lan Manager (NTLM) authentication. The problem specifically exists
within Curl_input_ntlm() defined in lib/http_ntlm.c. Within this
function an unsigned stack-based character array of size 256, buffer[],
is passed to the Curl_base64_decode() routine defined in lib/base64.c as
can be seen here:

size_t size = Curl_base64_decode(header, (char *)buffer);

The Curl_base64_decode() routine relies on the calling function to
validate the decoded length. This function base64 decodes and copies
data directly from the HTTP reply of a server to the destination buffer,
in this case buffer[]. An attacker can construct a long base64 encoded
malicious payload that upon decoding will overflow the 256 byte static
buffer and overwrite the saved EIP. This in turn can lead to arbitrary
code execution.

III. ANALYSIS

Successful exploitation allows remote attackers to execute arbitrary
code
under the privileges of the target user. Exploitation requires that an
attacker either coerce or force a target to connect to a malicious
server using NTLM authentication.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in cURL
version 7.12.1. It is suspected that prior versions are affected as
well.
Any application built using a vulnerable version libcURL will also be
affected.

V. WORKAROUND

Replace the static buffer allocation on line 106 in lib/http_ntlm.c:

unsigned char buffer[256];

With a dynamic buffer allocation:

unsigned char *buffer = (unsigned char *)malloc(strlen(header));

and recompile cURL.

VI. VENDOR RESPONSE

No vendor response received.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Remote exploitation of a stack-based buffer overflow in various Unix /
Linux vendors' implementation of cURL could allow for arbitrary code
execution on the targeted host.

An exploitable stack-based buffer overflow condition exists when using
Kerberos authentication. The problem specifically exists within the
functions Curl_krb_kauth() and krb4_auth() defined in lib/krb4.c.
Within these functions a statically allocated stack-based buffer of size
1250, from struct KTEXT_ST.dat, is passed to the Curl_base64_decode()
routine defined in lib/base64.c as can be seen here:

The Curl_base64_decode() routine relies on the calling function to
validate the decoded length. This function base64 decodes and copies
data directly from the HTTP reply of a server to the destination buffer,
in this case buffer[]. An attacker can construct a long base64 encoded
malicious payload that upon decoding will overflow the static buffer and
overwrite the saved EIP. This in turn can lead to arbitrary code
execution.

III. ANALYSIS

Successful exploitation allows remote attackers to execute arbitrary
code
under the privileges of the target user. Exploitation requires that an
attacker either coerce or force a target to connect to a malicious
server using Kerberos authentication.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in cURL
version 7.12.1. It is suspected that prior versions are affected as
well.
Any application built using a vulnerable version libcURL will also be
affected.

V. WORKAROUND

Recompile cURL without Kerberos support if it is not needed.

VI. VENDOR RESPONSE

No vendor response received.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Two vulnerabilities have been discovered in the PSCP and PSFTP clients,
which can be triggered by the SFTP server itself. These issues are
caused by the improper handling of the FXP_READDIR response, along with
other string fields.

Impact
======

An attacker can setup a malicious SFTP server that would send these
malformed responses to a client, potentially allowing the execution of
arbitrary code on their system.

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

Two vulnerabilities have been discovered in the PSCP and PSFTP clients,
which can be triggered by the SFTP server itself. These issues are
caused by the improper handling of the FXP_READDIR response, along with
other string fields.

Impact
======

An attacker can setup a malicious SFTP server that would send these
malformed responses to a client, potentially allowing the execution of
arbitrary code on their system.

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

I have been trying to reach the Security contact, in fact ANY
security contact at Sourceforge for several days now, to no avail.

I *urgently* need to speak to someone over there. And, while
we're at it, I note publicly that (a) Your switchboard has no option for
Security, (b) your operator never answers, (c) the name I was trying for a
while is accepted by the automated attendant yet refused when transferred
("That number cannot be reached from here"), and (d) Sending to your role
accounts does not get the desired response.

Email to measl@mfn.org or a phone call to the mfn.org role account
should both work. I would STRONGLY recommend that someone over there call
me whenever they see this, regardless of time of day or night.

--
Yours,
J.A. Terranson
sysadmin@mfn.org
0xBD4A95BF
"Quadriplegics think before they write stupid pointless
shit...because they have to type everything with their noses."
http://www.tshirthell.com/
------------------------------
Message: 10
Date: Mon, 21 Feb 2005 20:19:41 +0800
From: "Rizwanalikhan" <rizwanalikhan74@yahoo.com>
Subject: [Full-Disclosure] Delivery by mail
To: "Full-disclosure" <full-disclosure@lists.netsys.com>
Message-ID: <vyaunvbhudswagtoqer@lists.netsys.com>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL:
http://lists.netsys.com/pipermail/full-disclosure/attachments/20050221/f862d
0d3/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: siupd02.cpl
Type: application/octet-stream
Size: 32148 bytes
Desc: not available
Url :
http://lists.netsys.com/pipermail/full-disclosure/attachments/20050221/f862d
0d3/siupd02-0001.obj
------------------------------
Message: 11
Date: Mon, 21 Feb 2005 21:01:29 -0600
From: H D Moore <fdlist@digitaloffense.net>
Subject: Re: [Full-Disclosure] Arkeia Network Backup Client Remote
Access
To: full-disclosure@lists.netsys.com
Message-ID: <200502212101.29457.fdlist@digitaloffense.net>
Content-Type: text/plain; charset="iso-8859-1"
Just to clarify, the user manual *does* mention client security and gives
instructions for locking down the Arkeia agent. Unfortunately this is not
enabled by default and only restricts access on a per-host basis.
Appendix B: System Security (not sure how I missed this before)
ftp://ftp.arkeia.com/pub/manual/arkeia5/anb/Arkeia_User_Manual.pdf
-HD
On Sunday 20 February 2005 14:41, I wrote:
> Anyone able to connect to TCP port 617 can gain read/write access to
> the filesystem of any host running the Arkeia agent software.
------------------------------
Message: 12
Date: Tue, 22 Feb 2005 00:12:07 -0500
From: Aaron Horst <anthrax101@gmail.com>
Subject: [Full-Disclosure] phpBB Fixed full path disclosure in
username handling - 2.0.11
To: full-disclosure@lists.netsys.com
Message-ID: <ab13993b05022121122c3c2437@mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I. BACKGROUND
phpBB is a high powered, fully scalable, and highly customizable Open
Source bulletin board package. phpBB has a user-friendly interface,
simple and straightforward administration panel, and helpful FAQ.
Based on the powerful PHP server language and your choice of MySQL,
MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the
ideal free community solution for all web sites.
II. DESCRIPTION
The phpbb_clean_username function has an improper order of execution
allowing path and SQL table disclosure. The substr function should be
called before extra backslash (\) characters are stripped from the
string to force valid SQL requests. If it is not stripped after the
substr command, it is possible to remove the second backslash
character in a previously addslashes string (\). The following code
around line 80 in includes\functions.php is the problem:
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);
This is a trivial error, not very worrying. In some configurations
this could possibly be used for either cross site scripting or SQL
injection, however it does not appear that phpBB v2.0.11 is
vulnerable to these attacks.
The following actions are susceptible to this attack:
Login
Password reminder
Add a member to a group
Post by a user who is not logged in
Search by username
Search for username
Send private message
View users profile
To attack any of these actions, attempt to submit the username
"ABCDEFGHIJKLMNOPQRSTUVWX\YZ" (Note \ character, there must be
trailing characters after that character)
III. FIX
To alleviate this issue, the code around line 80 of
includes\functions.php should be changed as follows:
$username = substr(htmlspecialchars(str_replace("\\'", "'",
trim($username))), 0, 25);
$username = rtrim($username, "\\");
$username = str_replace("'", "\\'", $username);
An upgrade to phpBB v2.0.12 includes this fix.
III. ANALYSIS
This report was created based on phpBB v2.0.11. It was discovered on
12/30/04. It was also independently discovered by kaosone+[ONE]+ on
2/19/04, and posted to the bugtraq mailing list.
AnthraX101
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
iQA/AwUBQhq/Aw4h295M1tC9EQJW2wCgh8jhb97Vc4ZlUkzm/i5VtEiBQ1QAoKuH
UMHOhx0R9jRTU58YO5Oq91C5
=192I
-----END PGP SIGNATURE-----
------------------------------
Message: 13
Date: Tue, 22 Feb 2005 02:18:41 +0800
From: "Rizwanalikhan" <rizwanalikhan74@yahoo.com>
Subject: [Full-Disclosure] Registration is accepted
To: "Full-disclosure" <full-disclosure@lists.netsys.com>
Message-ID: <ozpjbjlsflodsusbwea@lists.netsys.com>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL:
http://lists.netsys.com/pipermail/full-disclosure/attachments/20050222/29bab
00a/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zupd02.scr
Type: application/octet-stream
Size: 29227 bytes
Desc: not available
Url :
http://lists.netsys.com/pipermail/full-disclosure/attachments/20050222/29bab
00a/zupd02.obj
------------------------------
_______________________________________________
Full-Disclosure mailing list
Full-Disclosure@lists.netsys.com
https://lists.netsys.com/mailman/listinfo/full-disclosure
End of Full-Disclosure Digest, Vol 3, Issue 42
**********************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Relevant Pages

RE: Remote connectivity problems... do you mean you have added a remote client to SBS ... If you have hardware VPN tunnel setup using Linksys or others, ... In this scenario you have to configure the SBS Server computer to enable ...(microsoft.public.windows.server.sbs)

Re: RWW Disconnecting... I have been connected from a remote site for about 3 ...DHCP server and even a wireless access ... the key codes to for Internet access....Client Workstations}...(microsoft.public.windows.server.sbs)

Re: RWW Disconnecting...Server to test the issue. ... I understand that remote client encounts following error message when RWW ... I strongly suggest that we rerun the Configure E-mail and Internet...(microsoft.public.windows.server.sbs)

Re: What doesnt lend itself to OO?... >> proxy and instructs the server to constuct the real object. ... rather than client code.... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...(comp.object)